公开(公告)号：US20220103339A1

公开(公告)日：2022-03-31

申请号：US17037427

申请日：2020-09-29

Applicant: Amazon Technologies, Inc.

Inventor： Marc Brooker ,  Osman Surkatty ,  Derek Manwaring ,  Mikhail Danilov ,  Peter Martin McDonnell ,  Stefan Schneider

IPC: H04L9/06 ,  H04L9/08

Abstract: Systems and methods are described for providing storage of encrypted data sets, deduplication of such data sets, and control of the redundancy of those data sets. A form of modified convergent encryption can be employed, whereby an encryption key for a data set is selected based on a combination of the plaintext of the data set and a salt value, with the salt value being selected from a number of permutations corresponding to a desired redundancy of the data set in a storage system. Accordingly, a given data set can result in a number of ciphertexts equal to the desired redundancy, and deduplication can occur by removing duplicative instances of individual ciphertexts. Salt values can be selected according to a variety of criteria, including user-based, time-based, and location-based criteria.

公开(公告)号：US10075459B1

公开(公告)日：2018-09-11

申请号：US14161428

申请日：2014-01-22

Applicant: .Amazon Technologies, Inc.

Inventor： Deepak Suryanarayanan ,  Colin Harrison Brace ,  Malcolm Russell Ah Kun ,  Osman Surkatty ,  Supreeth Koushik Sheshadri

IPC: H04L29/06

CPC classification number: H04L63/1425 ,  H04L63/0227 ,  H04L63/0272 ,  H04L63/1416 ,  H04L63/1441

Abstract: A computing system that provides virtual computing services may generate and manage remote computing sessions between client computing devices and virtual desktop instances hosted on the service provider's network. Each virtual desktop instance may include a network interface for communication between the virtual desktop instance and client computing devices, and a second interface that connects the virtual desktop instance to entities on other networks (e.g., Internet destinations, or shared resources on an internal network). An administrative component or client application may detect a condition indicating that the second interface should be disconnected or its operation modified in order to prevent or curtail malicious use of the virtual desktop instance, such as inactivity, server type activity or other suspicious activity, suspension or closing of a remote computing session, or a timeout condition, or may proactively disconnect the interface or modify its operation based on observed or expected usage patterns.

公开(公告)号：US11582025B2

公开(公告)日：2023-02-14

申请号：US17037369

申请日：2020-09-29

Applicant: Amazon Technologies, Inc.

Inventor： Marc Brooker ,  Derek Manwaring ,  Osman Surkatty ,  Mikhail Danilov ,  Peter Martin McDonnell ,  Stefan Schneider

IPC: G06F21/00 ,  H04L29/06 ,  H04L9/06 ,  H04L9/08

Abstract: Systems and methods are described for providing secure storage of data sets while enabling efficient deduplication of data. Each data set can be divided into fixed-length blocks. The plaintext of each block can be convergently encrypted, such as by using a hash of the plaintext as an encryption key, to result in block-level ciphertext that can be stored. If two data sets share blocks, the resulting block-level ciphertext can be expected to overlap, and thus duplicative block-level ciphertexts need not be stored. A manifest can be created to facilitate re-creation of the data set, which manifest identifies the block-level ciphertexts of the data set and a key by which each block-level ciphertext was encrypted. By use of block-level encryption, nearly identical data sets can be largely deduplicated, even if they are not perfectly identical.

公开(公告)号：US10540270B1

公开(公告)日：2020-01-21

申请号：US15880382

申请日：2018-01-25

Applicant: Amazon Technologies, Inc.

Inventor： Osman Surkatty ,  Josh Phelan Dukes ,  Khai Tran ,  Oleg Mitrofanov

IPC: G06F11/36 ,  G06F9/445 ,  G06F9/44 ,  G06F9/54

Abstract: Systems and methods are disclosed herein for performing automated testing of software. Information characterizing a set of application programming interface (API) calls is associated with the software. Dependencies between the API calls are determined using the information and a representation is generated using the dependencies. The dependencies of the representation are verified by providing API requests to the API calls. The verified representation is provided for automated testing of an API and the associated API calls.

公开(公告)号：US11604669B2

公开(公告)日：2023-03-14

申请号：US16782873

申请日：2020-02-05

Applicant: Amazon Technologies, Inc.

Inventor： Marc Brooker ,  Mikhail Danilov ,  Osman Surkatty ,  Tao Chen

IPC: G06F9/455 ,  G06F12/0882 ,  G06F12/0891

Abstract: Systems and methods are provided for efficiently configuring an execution environment for an on-demand code execution system to handle a single request (or session) for a single user. Once the session or request is complete, the execution environment is reset, such as by having the hardware processor state, memory, and storage reset. In particular, prior to the execution of code, state of the execution environment of the host computing device is retrieved, such as hardware processor(s), memory, and/or storage state. Moreover, during execution of the code instructions, intermediate state can be gathered. Following the execution of the code, the execution environment is reset based on the saved state related to the hardware processor(s), memory, and/or storage. A subsequent code execution securely occurs in the execution environment and the execution environment is reset again, and so forth.

公开(公告)号：US11546324B1

公开(公告)日：2023-01-03

申请号：US16782774

申请日：2020-02-05

Applicant: Amazon Technologies, Inc.

Inventor： Marc Brooker ,  Osman Surkatty ,  Mikhail Danilov

IPC: H04L9/40 ,  G06F16/23 ,  G06F16/24

Abstract: Systems and methods are provided for scoped credentials within secure execution environments executing within virtual machines instances in an on-demand code execution system. In the on-demand code execution system, the execution environments are reset after every request or session. By resetting the single execution environment after each request or session, security issues are addressed, such as side-channel attacks and persistent malware. Additionally, the use of scoped credentials improves security by limiting the access rights for each code execution request or session to the smallest atomic level for the request or session. Following the request or session, the scoped credential is invalidated.

公开(公告)号：US09703974B1

公开(公告)日：2017-07-11

申请号：US14137368

申请日：2013-12-20

Applicant: Amazon Technologies, Inc.

Inventor： Osman Surkatty

IPC: H04L29/06 ,  G06F21/00 ,  G06F21/62 ,  G06F11/30 ,  G06F21/56 ,  G06F17/30

CPC classification number: G06F21/6218 ,  G06F11/3006 ,  G06F21/552 ,  G06F21/56 ,  H04L63/0227 ,  H04L63/0263 ,  H04L63/20

Abstract: A method and system are disclosed for coordinated file system security via rules. A file system condition rule can specify any of a wide variety of file system conditions related to security risks, such as sensitive information in impermissible locations, impermissible file permissions, stray files, and the like. The rules can be administered at a central location and distributed across machines. The machines can then execute the rules against their local file systems. The rules can further specify actions to be taken, including deleting files, sanitizing files, sending an alert, or the like. Violations can be tracked and analyzed to determine what is causing recurring scenarios. A web service can expose the technologies to cloud service consumers.

公开(公告)号：US11470048B1

公开(公告)日：2022-10-11

申请号：US16912485

申请日：2020-06-25

Applicant: Amazon Technologies, Inc.

Inventor： Osman Surkatty ,  David Yanacek

IPC: H04L9/40 ,  G06F9/455 ,  G06F9/48 ,  H04L12/66

Abstract: Systems and methods are described for providing on-demand virtual private environments (VPEs) to serverless code executions. Each VPE can represent a logical isolated network environment. On receiving a request to execute code, an on-demand code execution system can generate a VPE for the code and provision the VPE with network endpoints and gateways that provide access to network services and locations that the code is permitted to access, which services and locations can be identified based on permissions for the code. The on-demand code execution system can then execute the code within an execution environment attached to the VPE, such that network transmissions caused by the code are subject to network-level enforcement of the permissions for the code.

公开(公告)号：US11329803B2

公开(公告)日：2022-05-10

申请号：US17037427

申请日：2020-09-29

Applicant: Amazon Technologies, Inc.

Inventor： Marc Brooker ,  Osman Surkatty ,  Derek Manwaring ,  Mikhail Danilov ,  Peter Martin McDonnell ,  Stefan Schneider

IPC: H04L29/06 ,  H04L9/06 ,  H04L9/08

Abstract: Systems and methods are described for providing storage of encrypted data sets, deduplication of such data sets, and control of the redundancy of those data sets. A form of modified convergent encryption can be employed, whereby an encryption key for a data set is selected based on a combination of the plaintext of the data set and a salt value, with the salt value being selected from a number of permutations corresponding to a desired redundancy of the data set in a storage system. Accordingly, a given data set can result in a number of ciphertexts equal to the desired redundancy, and deduplication can occur by removing duplicative instances of individual ciphertexts. Salt values can be selected according to a variety of criteria, including user-based, time-based, and location-based criteria.

公开(公告)号：US20220103338A1

公开(公告)日：2022-03-31

申请号：US17037369

申请日：2020-09-29

Applicant: Amazon Technologies, Inc.

Inventor： Marc Brooker ,  Derek Manwaring ,  Osman Surkatty ,  Mikhail Danilov ,  Peter Martin McDonnell ,  Stefan Schneider

IPC: H04L9/06 ,  H04L9/08

Abstract: Systems and methods are described for providing secure storage of data sets while enabling efficient deduplication of data. Each data set can be divided into fixed-length blocks. The plaintext of each block can be convergently encrypted, such as by using a hash of the plaintext as an encryption key, to result in block-level ciphertext that can be stored. If two data sets share blocks, the resulting block-level ciphertext can be expected to overlap, and thus duplicative block-level ciphertexts need not be stored. A manifest can be created to facilitate re-creation of the data set, which manifest identifies the block-level ciphertexts of the data set and a key by which each block-level ciphertext was encrypted. By use of block-level encryption, nearly identical data sets can be largely deduplicated, even if they are not perfectly identical.